matanbuchus | 48ad2fadb0550066f0ee1d20b73cdb397c53479152c2f3d14fe7d09b8a972117 | Triage

Resubmissions

20-06-2022 15:44

220620-s6gncaedbj 10

20-06-2022 15:39

220620-s34zgaged3 10

Analysis

max time kernel
1628s
max time network
1631s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 15:44

Sharing

Report Analysis Logs

General

Target

auth.dll
Size

1.5MB
MD5

abd3d08598ae706addcd289a75f2341e
SHA1

a358290a5bb6ac3a4b0f536bcda2b6d0640bef10
SHA256

48ad2fadb0550066f0ee1d20b73cdb397c53479152c2f3d14fe7d09b8a972117
SHA512

b45ea47ef0446e432703140f8df28baa65fd63e14b674fde5629ebe639b198b72dcc5526a8236101a2426dab465989c9e1885e68111b6d075ebd7d3b091bb0c7

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27
PID 1580 wrote to memory of 1800	1580	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\auth.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\auth.dll,#1
  2⤵
  PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-55-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/1800-56-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download